The basics
ISO 27001 control A.5.14 Information transfer requires companies to define transfer rules, procedures, and agreements in order to protect information exchanged within the organization or between it and third parties.
Documentation
ISO 27001 control A.5.14 Information transfer can be documented:
- for smaller companies by writing Security Procedures for IT Department
- for mid-size and larger companies by writing an Information Transfer Policy.
These policies are not mandatory but are recommended.
Implementation
In order to comply with control A.5.14 Information transfer you might implement the following:
- Technology — the technology to perform information transfer in most cases will be already available in the company. Companies of all sizes will probably be able to manage information transfer by using cryptography to protect files and communication channels, and by configuring network devices (e.g., routers and firewalls) to ensure messages are appropriately routed.
- Organization/processes — you should set up a process for determining rules and steps to be followed for information transfer and, when necessary, establishment of formal agreements with third parties for information transfer. You can document those processes through a Security Procedures for IT Department or Information Transfer Policy.
- People — make employees aware of why protecting information exchanged within and out of the company is needed, and train them on how to protect information during exchange and make sure the information is sent to the intended recipient.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.14 Information transfer: if transfer rules, procedures, and agreements to protect exchanged information are defined.
